05/11/2002 - 21:00

Privacy exemption change nears

05/11/2002 - 21:00


Upgrade your subscription to use this feature.

FOR those operating a small business in Western Australia, December 21 may be a date of importance.On that date last year new privacy provisions introduced into the Privacy Act 1988 came into effect.

Privacy exemption change nears
FOR those operating a small business in Western Australia, December 21 may be a date of importance.

On that date last year new privacy provisions introduced into the Privacy Act 1988 came into effect. These amendments, known as the National Privacy Principles (NPPs), specify requirements to which affected organisations must adhere when collecting, using, disclosing and securing personal information.

The Office of the Federal Privacy Commissioner defines private information as: “any information about an identifiable individual”. This includes such details as a person’s name, address, marital status and income.

With the exception of health service providers, small business operators with an annual turnover less than $3 million are presently exempt from the act. This will change on December 21 2002, however. As of this date, small business operators that collect personal information, service Commonwealth contracts or act as subsidiaries of companies with an annual turnover greater than $3 million may also be caught by the act.

“Most small businesses will find they do not need to comply with the act,” Privacy Commissioner Malcolm Crompton said. “However, small business operators will have to take the necessary steps to determine if they need to comply.

“Businesses such as pharmacies and health clubs have had to comply with the act since December last year.

“However, as of December 21 this year, a number of other small business operators may also need to comply. Real estate agencies and tenancy database operators are two examples of organisations that may now have to also comply with the act.”

The Office of the Federal Privacy Commissioner has released two documents designed to assist small business operators understand the potential impact of the act upon their enterprises. The first, entitled A Privacy Checklist for Small Business, guides small business operators through a seven-step process to determine if compliancy with the act is required. For those small business operators finding they must comply, a second document, entitled A Snapshot of the Privacy Act for Small Business, outlines the steps that need to be taken to achieve this compliancy.

The privacy commissioner indicated that those small business operators falling under the act would need to consider how this would affect the way they handled private information.

“In terms of private information, the risk equation will change for those small business operators that find they must comply with the act,” Mr Crompton said.

“They will need to carefully assess the level of risk management they require to ensure the private information they obtain, hold and use is handled responsibly in accordance with the act.

“Small business operators falling under the act need to ensure that the private information of individuals is treated with respect.

“In this way, the owners of private information can be spared from unexpected surprises, and small business operators from the consequences that may follow.”

To emphasise his point, Mr Crompton cited a recent case in which a financial services firm allowed private customer information to be placed into a rubbish bin intact. When word of this got out, the share price of the company halved. The company has since ceased to trade.

Michael Paterson, principal of law firm Michael Paterson and Associates, indicates that those small business operators falling under the act on December 21 this year need to familiarise themselves with the Privacy Act’s NPPs.

The NPPs provide guidelines as to how private information is to be collected, used, disclosed and secured by organisations falling under the Privacy Act’s requirements.

The NPPs were the topic of a keynote address given by Mr Paterson at the recent Engine Reconditioners Association of Australia National Conference and Trade Expo 2002. In his address, Mr Paterson outlined the potential impact of the NPPs on the association’s members.

Mr Paterson felt that, of the 10 NPPs, the first, which pertains to the collection of information, could require the most work by affected organisations. NPP1 specifies that data may only be collected if an organisation needs that information itself, can collect it lawfully and non-intrusively, advises the individual of how the information will be used and can collect it directly from the individual concerned.

In addition to becoming familiar with the NPPs, Mr Paterson also suggested that affected organisations take a number of other steps to ensure compliance with the act. These include the appointment of a privacy officer within the organisation, the development of a privacy policy, the carrying out of a privacy audit and the formulation of a complaint handling strategy.

“It is also very important that those caught by the act consult both internally and externally in regards to their responsibilities and obligations and enlist the support and cooperation of staff and outside contractors,” Mr Paterson said.

He also indicated that the act might have to be taken into consideration by those buying or selling a business.

“Problems can arise because personal information about existing and prospective customers/clients is likely to be received and given,” Mr Paterson said.

“Therefore, due diligence may need to be observed during the process even if those involved would otherwise not be caught by the act.”

Full details regarding the Privacy Act can be acquired from the Federal Privacy Commissioner’s web site www.privacy. gov.au


Subscription Options